Setting up secure public computers

PUBLIC COMPUTERS IN ACTIVIST SPACES SHOULD USE LIVE DISKS, NOT HARD DRIVES!

A public computer running Microsoft Windows is a dangerous trap. Even a machine with Linux on a hard drive is vulnerable to recovery of “deleted’ history, cookies(as in EMAIL PASSWORDS?), and cache.

We all remember the infamous police raid on the Long haul Infoshop on the West Coast. One of the things the pigs did there was to steal hard drives from public access computers. This meant they could run data recovery to retrieve emails, passwords, anything.

You can’t use encryption to stop this because all users would have to be given the password, meaning an undercover could get it with ease.

Even if you use home-on-ram or firefox-on-ram scripts, an attacker could crack the root passwords remotely, then enter the activist space and replace the scripts or stop them from running at boot time. Therefore, hard drives of any kind are an unacceptable security hazard for activist public access computers.

As a result, the Long Haul Infoshop chose not to replace those hard drives. Instead, Linux live disks(I don’t know which distro) were dropped into the CD drives, guaranteeing that the computers could not save anything except to the user’s own flash drive. Next raid gets nothing, reducing the chance of any more raids.

HOWTO:

For modern computers, a Linuxmint or Ubuntu MATE live disk is probably the best option. Mint offers their default Cinnamon desktop environment or the MATE environment derived from GNOME 2. They are used the same way but MATE gives better performance so it is not recommended for almost all cases.

Use the 64 bit MATE version of Mint or 64 bit Ubuntu MATE(the recommended version) if at least 4GB of RAM are installed and all of your machines support 64 bit. If you only have 1 GB of RAM in the computers in question, use 32 bit as it will give better performance in websites due to how the “garbage collection” routine in Javascript engines works. For 2GB you can go either way, again assuming 64 bit CPU support.

Most Core 2 or later Intel machines, and all AMD machines built after 2003 support 64 bit. There are even a few of the later Pentium 4’s that support 64 bit, but most do not. You need 64 bit to make full use of 4GB or more of RAM.

LinuxMint and Ubuntu have greatly improved the boot speed of their live DVD’s in recent years, though they are not as fast running from a USB drive. USB drive install (LIVE only) is a good option so long as “persistance” is NOT selected when the USB drives are first set up. For the current approach of using the dd command to copy the disk image onto a USB stick, persistance files are not possible and the resulting stick is entirely safe to use. Some older machines won’t boot these sticks however, so you might have to use DVD’s with those at a price in speed.

Older versions of LinuxMint supported all the video codecs used by websites, but the current ones do not. Thus, the instructions for installing the video codecs might have to be taped to the machine for use by anyone needing to deal with video.

USING OLD MACHINES FOR A CHEAP PUBLIC ACCESS COMPUTER CENTER

note that this section may no longer be useful in environments where smartphones are common, as Pentium-III and even Pentium 4 class machines can no longer keep up with the performance of modern ARM phones. Thus many websites have also gotten too heavy for these machines and even cause issues for Intel Atom netbooks.

While Ubuntu-MATE, Linuxmint and many other linux distros both run from and install install from a live disk, these live disks are painfully slow to boot and use on older computers (Pentium III and earlier), as they are not designed for speed. There are special distros, notably DSL(Damned Small Linux), which are intended especially to get older computers online and run as live CD’s. Unlike Mint, these won’t play web video but will fit on a CD. Computers requiring these distros are usually too slow for any video other than the tiny “mobile” format anyway. Computers using ultralight distros will normally require a “how-to” guide sitting on the table with them for new users.

Knoppix was a more full featured distro specialized for running as a live disk (and DSL is based on it as were the first Ubuntu live disks) but their website is no longer active.

You can use computers as old as Pentium II’s or even original Pentiums with DSL, though you will need more ram than most of these came with to avoid crashes when using Firefox. When I tested DSL on a 233 MHZ Pentium II laptop with 64MB ram, it was not slow in any way, but Firefox, necessary for a lot of websites, kept locking up due to inadequate memory. These days, many websites will also be too heavy for these machines, so anything older than a Pentium 4 or Athon Thunderbird might be too old for your user’s intended websites. This has gotten far worse as cellphone performance has picked up, causing webmasters to treat the last year’s phones as the slowest systems they care to worry about.

For setting up a safe “live disk” public computer center, get a bunch of old “junk” computers. You can get Pentium 3’s and these days usually Pentium 4’s for next to nothing, and newer machines are becoming more and more common as people ditch their desktops for far slower and less secure smartphones.

Sort the machines, and use the ones with the fastest processors. Pull out the hard drives-you won’t be using them. Sell them on Ebay, taken them home and use them, whatever-just don’t use hard drives for public computing. If any “good” computers lack CD drives, pull them from clunkers and install them. Next you need to stuff the good ones with ram(memory) from the clunkers

RAM for public machines on live disks:

The space in RAM is all the “disk” space you get, and firefox defaults to 50MB of cache. You can change that, but would have to do so every time you boot. Your users will need to save all files they need to keep to USB disks they bring.

Modern machines with Linuxmint need at least 512 MB and really should have a full 1GB installed. This is surprisingly easy to get once you start tearing down the clunkers for parts. While DSL (which really old stuff can use online) will boot with just 16MB of ram(!), Firefox will crash and lock the machine up frequently with 64MB of ram, so expect that 128 or better, 256MB should be used for these public computers, even on DSL.

Pull the ram sticks out of the machines you won’t be using, and sort them. Most pentium II, pentium III, AMD K6’s and some early AMD athlons and K6’s will use “PC-100” or “PC-133.” You can use PC-133 in a PC-100 machine, but not the other way around. Pentium 4’s might use PC-800(rare and $$$), DDR(in a variety of speeds like “DDR-266, DDR-400, etc) or DDR2, again in a variety of speeds. Later AMD Athlons and AMD 64 Athlons prior to the dual-core era all use DDR. Some Athon Thunderbird boards could use either PC-133 or DDR. Load those with DDR if you have it. Machines that come with DDR should have plently of RAM installed, one stick is usually 2 GB at least. DDR 2 machines (Core 2, AMD Socket AM2/AM2+) should have enough as well but always check.

In each “good” machine, fill up the memory slots with the largest ram sticks you have that match the type and have at least as high a speed (number).

I recommend configuring the BIOS to boot from CD first unless you have machines that will boot from USB sticks(most newer ones, few older ones). These should be set to boot from USB first, then CD.

Mark machines that can boot from USB so people with things like encryption-supporting operating systems on USB can use them.

Unsecured wireless networks give maximum public access but are somewhat easier to spy on. Of course, as easy as it is to get ISP’s to cooperate with cops, I don’t suppose that matters much.

Drop in your live disks, test boot, make sure the computers see the network, and start promoting free semi-secure public access. Remind users to REBOOT if they need to immediately destroy temporary files and old emails when they are done! You will no doubt need to include a simple “how to use” printout next to each machine so people not familiar with Linux can find the Firefox browser and get to the internet.